GDPR arrived in May 2018, but doubts do not stop appearing. Not all organizations feel prepared to comply with the procedures of the new law. That’s why we’ve prepared 7 questions about RGPD that need to be answered!
According to the law, personal data means any information relating to an individual identified or identifiable through them (identifiable ‘by reference to an identification number or to one or more specific elements of his/her physical, physiological, psychic, economic, cultural or social ‘).
In the event of an infringement of the rights conferred by the RGPD, any interested party may appeal to the courts. The fines may be up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its annual worldwide turnover for the preceding financial year, whichever is the greater.
Manifestation of a free, specific, informed and explicit willingness by which the data subject accepts, by means of a declaration or unequivocal positive act, that the personal data concerning him / her are treated.
The appointment of a mandatory DPO in the following cases:
1) Public authorities or bodies;
2) Entities regularly monitoring personal data on a large scale;
3) Entities regularly monitoring large-scale sensitive personal data or data relating to criminal convictions and offenses.
According to the GDPR, the Data Protection Officer (DPO) can be anyone who works in the organization, as long as it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. It is not mandatory that you be a lawyer, but this professional must have in-depth legal knowledge in the area of data protection and experience in this industry. The DPO must be able to advise the company’s Management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and in other Member States. It is important that this professional is able to teach, communicate their ideas and make themselves understood by all employees of the company. The DPO needs to know everything about the company, in particular the procedures of each department. The DPO is also required to monitor the compliance of the company’s processes with the new GDPR through audits. The regulation allows the DPO to carry out functions other than data protection, but it is advisable that the DPO devotes most (or even all) of its time to data protection and compliance issues.
The Regulation creates additional barriers to current data collection and processing practices in Portugal by introducing stricter rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending the vital interests of the data subject. With the new regulation a contact of a business card, for example, can not be included in any database without the explicit consent of its owner. In practical terms, the use of boxes previously selected, the absence of answers, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.
The injured citizen and the National Data Protection Commission.